tofsee | ba4e6a37a573d52c8662858559fc0ce0b99156bbbb56b44762912243c4abe39c | Triage

Sharing

General

Target

ba4e6a37a573d52c8662858559fc0ce0b99156bbbb56b44762912243c4abe39c.exe
Size

13.5MB
Sample

241123-pk1yba1lbp
MD5

d10e66a249b3d6e9523b2ef377a732e0
SHA1

bbebd8b6af0275d16f7613451665f9e749bcec45
SHA256

ba4e6a37a573d52c8662858559fc0ce0b99156bbbb56b44762912243c4abe39c
SHA512

df255294220063308eb1155cd5f8a299f8e3f64084aa0d66178f69bf1ebe6245a861c6070a9fdeda4ab75a9870bfde4b8745c56ddd638197925b892556ff3ea2
SSDEEP

6144:NpQ6t5O5aSeJhB5Cnyt+dg/KRJC8jbPzxRL2RjZyjSIQf4GFx:Nm6+8Rhqnycdg/SljbbxRL+Z6Sr7Fx

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  ba4e6a37a573d52c8662858559fc0ce0b99156bbbb56b44762912243c4abe39c.exe
- Size
  
  13.5MB
- MD5
  
  d10e66a249b3d6e9523b2ef377a732e0
- SHA1
  
  bbebd8b6af0275d16f7613451665f9e749bcec45
- SHA256
  
  ba4e6a37a573d52c8662858559fc0ce0b99156bbbb56b44762912243c4abe39c
- SHA512
  
  df255294220063308eb1155cd5f8a299f8e3f64084aa0d66178f69bf1ebe6245a861c6070a9fdeda4ab75a9870bfde4b8745c56ddd638197925b892556ff3ea2
- SSDEEP
  
  6144:NpQ6t5O5aSeJhB5Cnyt+dg/KRJC8jbPzxRL2RjZyjSIQf4GFx:Nm6+8Rhqnycdg/SljbbxRL+Z6Sr7Fx
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan